[ OK ] Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 syzkaller login: [ 15.635206][ C1] random: crng init done [ 15.639696][ C1] random: 7 urandom warning(s) missed due to ratelimiting Warning: Permanently added '10.128.0.245' (ECDSA) to the list of known hosts. executing program [ 22.497560][ T12] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 23.027089][ T12] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08 [ 23.036381][ T12] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 23.044598][ T12] usb 1-1: Product: syz [ 23.048836][ T12] usb 1-1: Manufacturer: syz [ 23.053540][ T12] usb 1-1: SerialNumber: syz [ 23.098018][ T12] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested [ 23.726311][ T12] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008 executing program [ 24.128038][ T278] usb 1-1: USB disconnect, device number 2 [ 24.995564][ T12] usb 1-1: Service connection timeout for: 256 [ 25.002034][ T12] ================================================================== [ 25.010163][ T12] BUG: KASAN: use-after-free in kfree_skb+0x32/0x3d0 [ 25.016822][ T12] Read of size 4 at addr ffff8881cdcb6c14 by task kworker/0:1/12 [ 25.024516][ T12] [ 25.026837][ T12] CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.7.0-rc6-syzkaller #0 [ 25.034967][ T12] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 25.045016][ T12] Workqueue: events request_firmware_work_func [ 25.051164][ T12] Call Trace: [ 25.054439][ T12] dump_stack+0xef/0x16e [ 25.058712][ T12] print_address_description.constprop.0.cold+0xd3/0x415 [ 25.065717][ T12] ? vprintk_func+0x7d/0x113 [ 25.070292][ T12] ? kfree_skb+0x32/0x3d0 [ 25.074606][ T12] __kasan_report.cold+0x37/0x7d [ 25.079610][ T12] ? kfree_skb+0x32/0x3d0 [ 25.083922][ T12] ? kfree_skb+0x32/0x3d0 [ 25.088356][ T12] kasan_report+0x33/0x50 [ 25.092674][ T12] check_memory_region+0x173/0x1d0 [ 25.097780][ T12] kfree_skb+0x32/0x3d0 [ 25.101998][ T12] htc_connect_service.cold+0xa9/0x109 [ 25.107454][ T12] ath9k_wmi_connect+0xd2/0x1a0 [ 25.112287][ T12] ? ath9k_fatal_work+0x20/0x20 [ 25.117242][ T12] ? ath9k_hif_usb_firmware_cb.cold+0xde/0xde [ 25.123427][ T12] ? ath9k_wmi_event_tasklet+0x440/0x440 [ 25.129046][ T12] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 25.135463][ T12] ? ath9k_reg_rmw_flush+0x2d0/0x2d0 [ 25.140736][ T12] ? lockdep_init_map_waits+0x26a/0x7c0 [ 25.146289][ T12] ? __raw_spin_lock_init+0x34/0x100 [ 25.151667][ T12] ? tasklet_init+0x69/0x110 [ 25.156375][ T12] ath9k_htc_probe_device+0x25a/0x1da0 [ 25.161825][ T12] ? ath9k_init_htc_services.constprop.0+0x650/0x650 [ 25.168483][ T12] ? usb_submit_urb+0x6ed/0x1460 [ 25.173406][ T12] ? usb_free_urb.part.0+0x52/0x110 [ 25.178627][ T12] ? usb_free_urb+0x1b/0x30 [ 25.183410][ T12] ath9k_htc_hw_init+0x31/0x60 [ 25.188169][ T12] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 25.193802][ T12] ? ath9k_hif_usb_resume+0x320/0x320 [ 25.199160][ T12] request_firmware_work_func+0x126/0x242 [ 25.204899][ T12] ? request_firmware_into_buf+0x90/0x90 [ 25.210546][ T12] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 25.216084][ T12] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 25.221354][ T12] ? _raw_spin_unlock_irq+0x1f/0x30 [ 25.226532][ T12] process_one_work+0x965/0x1630 [ 25.231453][ T12] ? lock_release+0x720/0x720 [ 25.236238][ T12] ? pwq_dec_nr_in_flight+0x310/0x310 [ 25.241614][ T12] ? rwlock_bug.part.0+0x90/0x90 [ 25.246549][ T12] worker_thread+0x96/0xe20 [ 25.251049][ T12] ? process_one_work+0x1630/0x1630 [ 25.256255][ T12] kthread+0x326/0x430 [ 25.260337][ T12] ? kthread_create_on_node+0xf0/0xf0 [ 25.265785][ T12] ret_from_fork+0x24/0x30 [ 25.270183][ T12] [ 25.272505][ T12] Allocated by task 12: [ 25.276662][ T12] save_stack+0x1b/0x40 [ 25.280817][ T12] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 25.286432][ T12] kmem_cache_alloc_node+0xdc/0x330 [ 25.291757][ T12] __alloc_skb+0xba/0x5a0 [ 25.296198][ T12] htc_connect_service+0x2cc/0x840 [ 25.301395][ T12] ath9k_wmi_connect+0xd2/0x1a0 [ 25.306255][ T12] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 25.312664][ T12] ath9k_htc_probe_device+0x25a/0x1da0 [ 25.318121][ T12] ath9k_htc_hw_init+0x31/0x60 [ 25.323031][ T12] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 25.328649][ T12] request_firmware_work_func+0x126/0x242 [ 25.334349][ T12] process_one_work+0x965/0x1630 [ 25.339272][ T12] worker_thread+0x96/0xe20 [ 25.343791][ T12] kthread+0x326/0x430 [ 25.347859][ T12] ret_from_fork+0x24/0x30 [ 25.352357][ T12] [ 25.354667][ T12] Freed by task 0: [ 25.358385][ T12] save_stack+0x1b/0x40 [ 25.362521][ T12] __kasan_slab_free+0x117/0x160 [ 25.367456][ T12] kmem_cache_free+0x9b/0x360 [ 25.372114][ T12] kfree_skbmem+0xef/0x1b0 [ 25.376506][ T12] kfree_skb+0x102/0x3d0 [ 25.381686][ T12] ath9k_htc_txcompletion_cb+0x1f8/0x2b0 [ 25.387328][ T12] hif_usb_regout_cb+0x115/0x1c0 [ 25.392262][ T12] __usb_hcd_giveback_urb+0x29a/0x550 [ 25.397614][ T12] usb_hcd_giveback_urb+0x368/0x420 [ 25.402813][ T12] dummy_timer+0x125e/0x32b4 [ 25.407383][ T12] call_timer_fn+0x1ac/0x700 [ 25.412050][ T12] run_timer_softirq+0x5f9/0x1500 [ 25.417074][ T12] __do_softirq+0x21e/0x9aa [ 25.421660][ T12] [ 25.423979][ T12] The buggy address belongs to the object at ffff8881cdcb6b40 [ 25.423979][ T12] which belongs to the cache skbuff_head_cache of size 224 [ 25.438770][ T12] The buggy address is located 212 bytes inside of [ 25.438770][ T12] 224-byte region [ffff8881cdcb6b40, ffff8881cdcb6c20) [ 25.452018][ T12] The buggy address belongs to the page: [ 25.457633][ T12] page:ffffea0007372d80 refcount:1 mapcount:0 mapping:000000002eedf133 index:0x0 [ 25.466721][ T12] flags: 0x200000000000200(slab) [ 25.471663][ T12] raw: 0200000000000200 0000000000000000 0000000a00000001 ffff8881da175400 [ 25.480777][ T12] raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000 [ 25.489456][ T12] page dumped because: kasan: bad access detected [ 25.495846][ T12] [ 25.498159][ T12] Memory state around the buggy address: [ 25.503770][ T12] ffff8881cdcb6b00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 25.511829][ T12] ffff8881cdcb6b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.519898][ T12] >ffff8881cdcb6c00: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 25.527937][ T12] ^ [ 25.532504][ T12] ffff8881cdcb6c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.540545][ T12] ffff8881cdcb6d00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 25.548591][ T12] ================================================================== [ 25.556649][ T12] Disabling lock debugging due to kernel taint [ 25.563506][ T12] Kernel panic - not syncing: panic_on_warn set ... [ 25.570100][ T12] CPU: 0 PID: 12 Comm: kworker/0:1 Tainted: G B 5.7.0-rc6-syzkaller #0 [ 25.580331][ T12] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 25.590486][ T12] Workqueue: events request_firmware_work_func [ 25.596651][ T12] Call Trace: [ 25.599939][ T12] dump_stack+0xef/0x16e [ 25.604200][ T12] panic+0x2aa/0x6e1 [ 25.608111][ T12] ? add_taint.cold+0x16/0x16 [ 25.612771][ T12] ? retint_kernel+0x10/0x10 [ 25.617611][ T12] ? kfree_skb+0x32/0x3d0 [ 25.621949][ T12] ? trace_hardirqs_on+0x55/0x200 [ 25.626950][ T12] ? kfree_skb+0x32/0x3d0 [ 25.631268][ T12] end_report+0x4d/0x53 [ 25.635406][ T12] __kasan_report.cold+0x72/0x7d [ 25.640337][ T12] ? kfree_skb+0x32/0x3d0 [ 25.644640][ T12] ? kfree_skb+0x32/0x3d0 [ 25.648961][ T12] kasan_report+0x33/0x50 [ 25.653285][ T12] check_memory_region+0x173/0x1d0 [ 25.658397][ T12] kfree_skb+0x32/0x3d0 [ 25.663231][ T12] htc_connect_service.cold+0xa9/0x109 [ 25.668686][ T12] ath9k_wmi_connect+0xd2/0x1a0 [ 25.673521][ T12] ? ath9k_fatal_work+0x20/0x20 [ 25.678362][ T12] ? ath9k_hif_usb_firmware_cb.cold+0xde/0xde [ 25.684445][ T12] ? ath9k_wmi_event_tasklet+0x440/0x440 [ 25.690057][ T12] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 25.696595][ T12] ? ath9k_reg_rmw_flush+0x2d0/0x2d0 [ 25.701873][ T12] ? lockdep_init_map_waits+0x26a/0x7c0 [ 25.707439][ T12] ? __raw_spin_lock_init+0x34/0x100 [ 25.712701][ T12] ? tasklet_init+0x69/0x110 [ 25.717285][ T12] ath9k_htc_probe_device+0x25a/0x1da0 [ 25.722723][ T12] ? ath9k_init_htc_services.constprop.0+0x650/0x650 [ 25.729378][ T12] ? usb_submit_urb+0x6ed/0x1460 [ 25.734295][ T12] ? usb_free_urb.part.0+0x52/0x110 [ 25.739485][ T12] ? usb_free_urb+0x1b/0x30 [ 25.743967][ T12] ath9k_htc_hw_init+0x31/0x60 [ 25.748728][ T12] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 25.754339][ T12] ? ath9k_hif_usb_resume+0x320/0x320 [ 25.759690][ T12] request_firmware_work_func+0x126/0x242 [ 25.765392][ T12] ? request_firmware_into_buf+0x90/0x90 [ 25.771024][ T12] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 25.776567][ T12] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 25.781849][ T12] ? _raw_spin_unlock_irq+0x1f/0x30 [ 25.787110][ T12] process_one_work+0x965/0x1630 [ 25.792060][ T12] ? lock_release+0x720/0x720 [ 25.796724][ T12] ? pwq_dec_nr_in_flight+0x310/0x310 [ 25.802079][ T12] ? rwlock_bug.part.0+0x90/0x90 [ 25.807010][ T12] worker_thread+0x96/0xe20 [ 25.811518][ T12] ? process_one_work+0x1630/0x1630 [ 25.816695][ T12] kthread+0x326/0x430 [ 25.820757][ T12] ? kthread_create_on_node+0xf0/0xf0 [ 25.826105][ T12] ret_from_fork+0x24/0x30 [ 25.831230][ T12] Kernel Offset: disabled [ 25.835559][ T12] Rebooting in 86400 seconds..